you should NOT store any static/fixed user information for login purposes in a cookie, since anyone stealing/capturing those cookie values can log in as the actual user until the values get changed and i'm betting you don't want your users to keep changing their usernames and passwords in case someone has managed to get a copy of them.
you should also NOT store the username and hashed password in session variables. you should store the user's id (auto-increment database table column) in the session variable and use that id from the session variable to query for any other user information. this will allow the username to be edited by a moderator/admin to your site, without requiring the user to log out and back in again for the edit to take effect.
the way to implement a remember me system is to generate a unique random token when the user successfully logs in, store that in the user's row in the database table and store it in the cookie.
as part of the login check, if the current visitor is not logged in (no session variable with the user id), check if the cookie holding the token exists. if it does, query to find the row of data with that matches the token value. if a row is found, fetch the user's id and store that in the session variable. all the rest of the code testing that session variable will remain the same.
next, using sha1() to hash passwords is not very secure since it is easy with today's personal computers to quickly brute force generate 'rainbow' tables of password values to hashes. you need to use php's password_hash() and password_verify() functions.
to convert current user's, add a column to the users table to hold the new hash value. when a user tries to log in, if the user has a value in the new hash column, use that in the login code, using password_verify() to compare the submitted password value with the hash value. if they don't have a value in the new hash column, use the value from the existing hash column to perform the login check. if the old-hash login is successful, generate a new hash using password_hash(), store that in the new hash column, and clear the existing hash column.
Edited by mac_gyver, 10 October 2017 - 12:54 AM.
multi-purpose programming fool. well written source-code should be self-documenting. well written code should be self-troubleshooting.